Chapter 10Buffer Overflow

Buffer Overflow● Common attack mechanism

○ first wide use by the Morris Worm in 1988

● Prevention techniques known○ NX bit, stack canaries, ASLR

● Still of major concern○ Recent examples: Shellshock, Hearthbleed

Buffer Overflow/Buffer OverrunDefinition:

A condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information. Attackers exploit such a condition to crash a system or to insert specially crafted code that allows them to gain control of the system.

Buffer Overflow Basics● Programming error when a process attempts to store data beyond the limits of

a fixed-sized buffer● Overwrites adjacent memory locations

○ locations may hold other program variables, parameters, or program control flow data○ buffer could be located on the stack, in the heap, or in the data section of the process

● Consequences:○ corruption of program data○ unexpected transfer of control○ memory access violations

Basic Buffer Overflow Example

Basic Buffer Overflow Stack Values

Buffer Overflow AttacksAttacker needs:

● To identify a buffer overflow vulnerability in some program that can be triggered using externally sourced data under the attacker’s control

● To understand how that buffer is stored in memory and determine potential for corruption

Identifying vulnerable programs can be done by:

● inspection of program source● tracing the execution of programs as they process oversized input● using tools such as fuzzing to automatically identify potentially vulnerable

programs

Stack Buffer Overflows● Occur when the buffer is located on stack

○ also known as stack smashing○ exploits included an unchecked buffer overflow

● Widely exploited

● Stack frame○ when one function calls another it needs somewhere to save the return address○ also needs locations to save the parameters to be passed in to the called function and to

possibly save register values

● Code supplied by attacker○ often saved in buffer being overflowed○ traditionally transferred control to a user command-line interpreter (shell)

● Machine code○ specific to processor and operating system○ traditionally needed good assembly language skills to create○ more recently a number of sites and tools have been developed that automate this process

● Metasploit Project○ provides useful information to people who perform penetration, IDS signature development,

and exploit research

Shellcode

Stack Overflow Variants● Target program can be:

○ a trusted system utility○ network service daemon○ commonly used library code

● Shellcode functions○ launch a remote shell when connected to○ create a reverse shell that connects back to the hacker○ use local exploits that establish a shell○ flush firewall rules that currently block other attacks○ break out of a chroot (restricted execution) environment, giving full access to the system

Buffer Overflow Defenses● Buffer overflows are widely exploited

● Two broad defense approaches○ Compile-time: aim to harden programs to resist attacks in new programs○ Run-time: aim to detect and abort attacks in existing programs

Compile-Time Defenses: Programming Language● Use a modern high-level language

○ not vulnerable to buffer overflow attacks○ compiler enforces range checks and permissible operations on variables

● Disadvantages○ additional code must be executed at run time to impose checks○ flexibility and safety comes at a cost in resource use○ distance from the underlying machine language and architecture means that access to some

instructions and hardware resources is lost○ limits their usefulness in writing code,

■ such as device drivers, that must interact with such resources

Compile-Time Defenses: Stack Protection● Add function entry and exit code to check stack for signs of corruption● Use random canary

○ value needs to be unpredictable○ should be different on different systems

● Stackshield and Return Address Defender (RAD)○ GCC extensions that include additional function entry and exit code

■ function entry writes a copy of the return address to a safe region of memory■ function exit code checks the return address in the stack frame against the saved copy■ if change is found, aborts the program

Run-Time Defenses: Executable Address Space Protection

● Use virtual memory support to make some regions of memory non-executable○ requires support from memory management unit ○ long existed on SPARC / Solaris systems○ recent on x86 Linux/Unix/Windows systems

● Issues○ support for executable stack code○ e.g., Java Runtime system○ special provisions are needed

Run-Time Defenses: Address Space Randomization● Manipulate location of key data structures

○ stack, heap, global data○ using random shift for each process○ large address range on modern systems means wasting some has negligible impact

● Randomize location of heap buffers

● Random location of standard library functions

Run-Time Defenses: Guard Pages● Place guard pages between critical regions of memory

○ flagged in memory management unit as illegal addresses○ any attempted access aborts process

● Further extension places guard pages between stack frames and heap buffers

○ cost in execution time to support the large number of page mappings necessary

Replacement Stack Frame● Variant that overwrites buffer and saved frame pointer address

○ Saved frame pointer value is changed to refer to a dummy stack frame○ Current function returns to the replacement dummy frame○ Control is transferred to the shellcode in the overwritten buffer

● Off-by-one attacks○ Coding error that allows one more byte to be copied than there is space available

● Defenses○ Any stack protection mechanisms to detect modifications to the stack frame or return address

by function exit code○ Use non-executable stacks○ Randomization of the stack in memory and of system libraries

Return to System Call● Defenses

○ Any stack protection mechanisms to detect modifications to the stack frame or return address by function exit code

○ Use non-executable stacks

○ Randomization of the stack in memory and of system libraries

● Stack overflow variant replaces return address with standard library function

○ Response to non-executable stack defenses

○ Attacker constructs suitable parameters on stack above return address

○ Function returns and library function executes

○ Attacker may need exact buffer address○ Can even chain two library calls

Heap Overflow● Attack buffer located in heap

○ Typically located above program code○ Memory is requested by programs to use in dynamic data structures (such as linked lists of

records)

● No return address○ Hence no easy transfer of control○ May have function pointers can exploit○ Or manipulate management data structures

● Defenses○ Making the heap non-executable○ Randomizing the allocation of memory on the heap

Global Data Overflow● Defenses

○ Non executable or random global data region

○ Move function pointers

○ Guard pages

● Can attack buffer located in global data

○ May be located above program code○ If has function pointer and vulnerable

buffer○ Or adjacent process management

tables○ Aim to overwrite function pointer later

called

Summary● Buffer overflow (buffer overrun)

○ more input placed into a buffer than the allocated capacity

● Stack buffer overflows○ targeted buffer is located on the stack○ function call mechanisms○ stack frame○ stack overflow vulnerabilities

● Shellcode○ shellcode development○ position independent○ cannot contain NULL values

● compile-time defenses○ resist attacks in new programs

● run-time defenses○ detect and abort attacks in existing

programs○ stack protection mechanisms

● Other forms of overflow attacks○ Replacement stack frame○ Return to system call○ Heap overflows○ Global data area overflows○ Other types of overflows